I was looking for solution everywhere, but maybe because lack of specialized words I can't find it.

I've got a problem in finding a program, but I don't know how to describe it in one word so I'll describe it in full way:

In company there is a usual situation when some of workers need to know login/password for external cooperants(for example suppliers, banks). For these company has only one login/password (because it identify company, not their workers). However there is a problem when worker is fired. He/She knows the password so there is a danger that he/she can make damage. So I'm looking for program that will store all company passwords, and only grant workers privledge to access site with login/password but without showing them.

I know that it is already similar topic here but as far as I understand, it is more like managing password inside company.

This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.

2

One issue that neither of the answers (so far) have covered is the idea that a user might now he/she is about to be terminated, and write down the passwords from the password manager vault. So even if you find the perfect technical solution for password storage, you still need to change every password they have access to anyway.
–
PolynomialJan 11 '13 at 10:44

5 Answers
5

firstly, it is bad policy to have non-individual based passwords and the first course of action would be to setup individual accounts for the users.

If the supplier cannot do that - then an alternative action would be to setup a simple federated trust model where the users never sign in to the 3rd party site but simply "single sign on" to the site using a federated trust model. There are industry standards for this such as SAML2 that allow you (and your company) to retain the identity management (including joiners/leavers/movers).

Clearly this will only work if you disallow normal login to the third party site. My client does this with every SaaS site that their employees use.

Restrict the number of shared passwords to the absolute minimum that is possible.

When an employee is terminated, change and shared password they knew.

The solution you are looking for - some sort of browser extension that stores the encrypted passwords for shared sites and then, on the user authenticating, uses the shared password to log on - would be great for your situation, but it has the problem that the end user is trusted (in the technical sense of the word, which is having to trust them since they have physical access to the computer).

I would look into Lastpass. Each user has its own acount and unique login to lastpass. You create one master account, which has all company logins. You can share logins, and choose to hide or show the password to the other user(s).

I have to warn you that it's fairly easy for a user to get the password anyway. With some IT skills, you can copy the login page to a local webserver, like Apache installed on a local computer. Change the hosts file so that the company domain name is routed to localhost, serve the saved login page to the browser, and Lastpass will probably fill in the password there. With some scripting skills you can reveal the password. (Disclaimer: I haven't tested the localhost hack, but I'm fairly sure it works like that.)

With the shared password option there is a better alternative. When a employee leaves the company, you delete the share, request a new password, and change that in the master account. The login is then updated for all remaining shared accounts.

If I am not mistaken Secret Server is a product that lets you use rolebased access and hide the actual password as well unless you have the right to see it. You can still USE the password since clients for RDP, Putty and Web is integrated. That way the user can USE the password but dont see the password. Makes it easier, since you wont have to change every single password everytime someone is quitting their job.
Copied from the User Guide for Secret server:

Secret Server's Launcher opens a connection to the remote computer or
logs into a website using the Secret's credentials directly from the
Web page. While this provides a convenient method of opening RDP and
PUTTY connections, it also circumvents Users being required to know
their passwords. A User can still gain access to a needed machine,
but is not required to view or copy the password out of Secret
Server. The Web Launcher will automatically log into websites using
the client’s browser.